Generating External HSM Key-Cert Pairs for DNSSEC

When the BIG-IP® system is a BIG-IP DNS (previously Global Traffic
Manager), you can use the Thales nShield Connect to store and manage DNSSEC keys.

For additional information about using Thales nShield Connect, refer to the
Thales website:
(https://www.thales-esecurity.com).

Task list

Generating an external key for creating manually managed DNSSEC keys

Before you generate the key, make sure that the Thales nShield Connect client is
running on all BIG-IP®
DNS devices in the configuration synchronization group.

You can use the fipskey.nethsm utility to generate keys and
self-signed certificates to be used to create manually managed DNSSEC private keys. You
can use the generated .csr file to request a signed certificate
from a certificate authority (CA).

Creating a DNSSEC key using an external HSM key and certificate

Before you create a DNSSEC key using an external key and certificate,
make sure that you have generated a key and certificate using Thales nShield
Connect, and that you have loaded the key and certificate.

You can create manually managed DNSSEC zone-signing and key-signing keys
for use with an external HSM. For more information, see Configuring
DNSSEC with an external HSM in BIG-IP® DNS
Services: Implementations at http://support.f5.com.